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Supplemental Box. 
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Box Relating to Sequence Listing (see Section 802 of the Administrative Instructions). 
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Box No. I Basis of the report 


1. With regard to the language, this report is based on the international application in the language in which it was 
filed, unless otherwise indicated under this item. 

□ This report is based on translations from the original language into the following language , 
which is the language of a translation furnished for the purposes of: 

□ international search (under Rules 12.3 and 23.1(b)) 

□ publication of the international application (under Rule 12.4) 

□ international preliminary examination (under Rules 55.2 and/or 55.3) 

2. With regard to the elements* of the international application, this report is based on (replacement sheets which 
have been furnished to the receiving Office in response to an invitation under Article 14 are referred to in this 
report as "originally filed" and are not annexed to this report): 


Description, Pages 


2-9 as originally filed 

1,1a received on 27.04.2005 with letter of 26.04.2005 
Claims, Numbers 

1 -1 1 received on 27.04.2005 with letter of 26.04.2005 
Drawings, Sheets 

1 /2, 2/2 as originally filed 


□ a sequence listing and/or any related table(s) - see Supplemental Box Relating to Sequence Listing 

3. □ The amendments have resulted in the cancellation of: 

□ the description, pages 

□ the claims, Nos. 

□ the drawings, sheets/figs 

□ the sequence listing (specify): 

□ any table(s) related to sequence listing (specify): 

4. □ This report has been established as if (some of) the amendments annexed to this report and listed below 
had not been made, since they have been considered to go beyond the disclosure as filed, as indicated in the 
Supplemental Box (Rule 70.2(c)). 

□ the description, pages 

□ the claims, Nos. 

□ the drawings, sheets/figs 

□ the sequence listing (specify): 

□ any table(s) related to sequence listing (specify): 

* If item 4 applies, some or all of these sheets may be marked "superseded. " 
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Box No. V Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial 
applicability; citations and explanations supporting such statement 

1. Statement 


Novelty (N) 

Yes: 

Claims 

1-11 


No: 

Claims 


Inventive step (IS) 

Yes: 

Claims 

1-11 


No: 

Claims 


Industrial applicability (IA) 

Yes: 

Claims 

1-11 


No: 

Claims 



2. Citations and explanations (Rule 70.7): 
see separate sheet 
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Reasoned statement under Rule 43bis.1 (a)(i) 

1 . It is considered that independent claims 1 (method ) and 9 (system) relate to new 
and inventive subject-matter (Articles 33(2) and (3) PCT), since the prior art does 
not disclose or suggest the specifically claimed transparent access authentication of 
subscribers. 

1.1 The following document 

D1 : "Access security for IP-based services (Release 5)" 3GPP TS 33.203 V5.6.0, 
June 2003 (2003-06), pages 1-27,34, XP002264085 (acknowledged in the 
description), 

• 

is regarded as being the closest prior art and discloses a method for access 
authentication of subscribers (Authentication of an IM-subscriber; paragraph 6.1.1) 
connected to an authenticating network domain by a GPRS core network or an 
UMTS network (PS-Domain in figure 1 ; also figure 3), wherein the method using data 
which are assembled by a network layer during establishment of a PDP context in 
GPRS networks (IP address established during establishment of a primary PDP 
context is used for all further communication; this feature is disclosed implicit in 
document D1). 

1 .2 The problem with this prior art is that no authentication on application layer is 
foreseen in GPRS standard. Thus there is the need to provide a transparent access 
authentication of subscribers without requiring extensions on network or client side 
(description, page 1, lines 25-29 and page 2, lines 15-16). 

1 .3 The application solves this problem by providing the method with following steps: 

when a Gateway GPRS Support Node (1) receives a context creation request it 
queries a registration server (2) to get an IP address assigned for the particular 
PDP context, and within the context the registration server (2) receives a Mobile 
Station ISDN Number, MSISDN, and/or an International Mobile Subscriber 
Identity, IMSI, of the subscriber and stores for each PDP context a pair of IP 
address and IMSI/MSISDN in a session database (3), 
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a proxy server (5) is provided which checks IMSI/MSISDN from a registration 
server (2) session database (3) and IMSI/MSISDN from a application domain 
database (4) for match, 

if the IMSI/MSISDN pairs are matching, the proxy server (5) checks a 
subscribers IP address assigned in the IP network layer for match with the IP 
address assigned by the registration server (2), and 

the proxy server (5) parses the application layer for IP addresses given in the 
headers of registration messages and checks for match with the network layer 
IP address which was already checked for match with the IP address assigned 
by the registration server (2). 

No prior art document anticipates the proposed solution. 

1 .4 Independent claim 9 contains the corresponding features as the method of claim 1 
expressed respectively in terms of the system. The argumentation of the points 1.1- 
1.3 applies mutatis mutandis also for this claim. 

2. Claims 2-4 and 6-11 are dependent respectively on claims 1 and 9 and therefore 
also meet the requirements of Art.33(2) and Art.33(3) PCT. 
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Transparent Access Authentication in 2G and 2„5G Mobile 
Access Networks 

*PO- DGl 

2 * 04. 2005 

The present invention relates to a method and system f< 
transparent access authentication in 2G and 2 . 5G Mobile 
Access Networks. This includes communication networks of the 
GSM- , GPRS- and UMTS - standard well known to skilled persons. 



10 In standardisation of Universal Mobile Telecommunication 
System (UMTS Rel.5) comprehensive means are foreseen to 
perform authentication on the application layer with no need 
to interwork with the underlying radio and transport 
networks. The mechanisms are based on the assumption that a 

15 specific environment is prepared for deployment of IP 

Multimedia Subsystem (IMS) services. It includes the use of 
IMS SIM (ISIM) application, which in turn requires 
Rel.asUICC's in the connected end devices to handle the 
authentication and key agreement (AKA) . 

20 In case of deployment of IMS and IMS based services in a 

network environment which is characterised by the use of SIM 
cards, the standardised authentication mechanism will not be 
applicable . 


25 The Technical Specification 3 GPP TS 33.203: "Access Security 
for IP-based Services'' , Release 5, V5.6.0, June 2 003 / XP- 
002264085, discloses a method for transparent access 
authentication of subscribers connected to an authenticating 
network domain by a GPRS core network or an UMTS network, the 

30 method using data which are assembled by a network layer 
during establishment of a PDP context in GPRS networks. 


28-04-2005 


EP0408574 


T0301B PCT la 

It is the object of the invention to provide method and 
system for transparent access authentication which allow it 
to run authentication transparently to the end device, 
without requiring proprietary extensions and functions on 
5 network or client side. 

This object is achieved by providing a method and system 
as described in the independent claims. 
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Claims 


28. 


04. 

® 


^005 


26.04 .2005 


1. Method for transparent access authentication of 

subscribers connected to an authenticating network domain 
by a GPRS core network or an UMTS network, wherein the 
method using data which are assembled by a network layer 
during establishment of a PDP context in GPRS networks, 
characterised in 

that when a Gateway GPRS Support Node (1) receives a 
context creation request it queries a registration server 
(2) to get an IP address assigned for the particular PDP 
context, and within the context the registration server 
(2) receives a Mobile Station ISDN Number, MSISDN, and/or 
an International Mobile Subscriber Identity, IMSI, of the 
subscriber and stores for each PDP context a pair of IP 
address and IMSI/MSISDN in a session database (3) , 
that a proxy server (5) is provided which checks 
IMSI/MSISDN from a registration server (2) session 
database (3) and IMS I / MS I SDN from a application domain 
database (4) for match, 

that if the IMSI/MSISDN pairs are matching, the proxy 
server (5) checks a subscribers IP address assigned in 
the IP network layer for match with the IP address 
assigned by the registration server (2) , and 
that the proxy server (5) parses the application layer 
for IP addresses given in the headers of registration 
messages and checks for match with the network layer IP 
address which was already checked for match with the IP 
address assigned by the radius server (2) . 

2. Method according to claim 1, comprising the step that 
during PDP context establishment a Serving GPRS Support 


AMFNinFR RHFFT 


T03018 PCT 


11 


Node (SGSN) is authenticating the subscriber using the 
A3/A8 algorithm based on an end devices SIM card. 

3. Method according to any preceding claim, comprising the 
step that in all subsequent messages arriving at the 
proxy server (5) , it checks for match of IP address in 
the IP packet overhead field for source address with that 
in the application layer protocol header fields and 
verifies the matching pairs against the IP address 
assigned by the Radius server (2) . 

4. Method according to any preceding claim, that a routing 
module (7) is provided which is a standard entry point 
for all messages and decides by evaluation of Private ID, 
PrivID, which network node will handle the message, 

5. System of units in a mobile telecommunication network, 
characterised that at least a first authentication unit 
(2) is connected via a data line to a second unit (5; 6) 
which assembles data according to the method of claim 1. 

6. System according to claim 5, wherein the first unit 
comprises a registration server (2) . 

7. System according to claim 5 or 6, wherein the first unit 
(2) is connected to a session database (3) - 

8. System according to any of claims 5 to 7, wherein the 
second unit comprises a proxy server (5) . 

9. System according to any of claims 5 to 8 , wherein the 
second unit comprises a Proxy Call State Control Function 
(6) . 
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10. System according to any of claims 5 to 9, wherein the 

second unit (5; 6) is connected to a subscriber database 
(4) . 


11. System according to any of claims 5 to 10, wherein a 
routing module (7) is provided which decides by 
evaluation of Private ID, PivID, which network node will 
handle the message . 
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